cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Louis Twomey <louis.twomey AT heanet.ie>
- To: Paul Dekkers <paul.dekkers AT surf.nl>
- Cc: Guy Halse <guy AT tenet.ac.za>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] Correct method for certificate rollover in CAT?
- Date: Fri, 15 Oct 2021 10:04:39 +0000
- Accept-language: en-IE, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=heanet.ie; dmarc=pass action=none header.from=heanet.ie; dkim=pass header.d=heanet.ie; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CwMWEmxMrP7DgEp45gBpbCrTbHAWDBgmaVKgn93i2rI=; b=dAA6pRkIpae2m04hqgb/pIbQ8LAT66OhL+IJyieY1PK+hNVQLnor2LdwnBbg7237/WEl8iqhUNvvdI1tGcRcs+Id2pSGmAxoEqYf/ia0+URy5gPZrUyHyZCMPsVZD63PTj7lVtfvsLdXH2brcJvtuLAxka3NxVOqbQvENk5V7nA7p5L49I017JDJyvDO46NReEwh9t4HjhokeRyi+Dh3qdurXV3mTrbOx0puXcAm5FaRJSkg0X234OsvQyvKGSsePUpnbqShIqm/gAnHljuAiBo8zmTIQTyyArcDLAFzQ1MR8tk2K6dcPdPhJ9HTQ03Qs2+6IcMav/IHkPTlsGbnAw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=asbsOGjd9h91+wN9Y8Jgo9V0Izb20mCFijkRgkzi+OkIeWTx3ZQ+NKTmU86yXrrJY4Ix9aygBfHiTpBekFxoQH4jNCXFxjmC5wzuw5xvHBjFWtQbf1Pb+1K2wtH/kLUvwkaDe9QBkjG1HQEeB3kOcEHUegB/9ZQiv1BIulsAv/XUAmY3PEu8E0luLHJchWePY1Ru8hMkVwtyd0exfFrwgF6cR2V4JpGh/bX/wy8NxVLnTP6GMvxcBayaACSfaDjyqQW1rR9nJfo+9ia4YBSbnZ9C9Sv2U07+2GKKukHgFLEDF+xk4uAQkj9296IcleoK+pO0poDPoUz/6/Ez7Vcesw==
- Authentication-results: surf.nl; dkim=none (message not signed) header.d=none;surf.nl; dmarc=none action=none header.from=heanet.ie;
Hi Guy,
Android < 7.1 does not allow more than one CA to be installed with a profile,
so with those devices you have no way to cleanly migrate and you basically
cut them off when you switch to the new server cert.
Regards,
Louis
-------
Louis Twomey
Technical Architect
PGP key: C77D9256
HEAnet CLG, Ireland’s National Education and Research Network
1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland
+353 (0)1 6609040 louis.twomey AT heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270
> On 15 Oct 2021, at 10:55, Paul Dekkers <paul.dekkers AT surf.nl> wrote:
>
>
> CAUTION[External]: This email originated from outside of the organisation.
> Do not click on links or open the attachments unless you recognise the
> sender and know the content is safe.
>
>
> Hi,
>
> On 15/10/2021 10:40, Guy Halse wrote:
>> Hi
>>
>> We have an IdP that wants to roll over the certification authority it uses
>> and deploy on a new RADIUS instance. In this process, both the CA
>> certificate and the CN used for validation will necessarily change.
>>
>> The CAT web application supports adding both multiple root certs and
>> multiple subject CNs into a profile, which means it's possible to generate
>> a profile that theoretically covers both the old and new infrastructure.
>> This looks to be the way to mimise the end-user impact of rolling over,
>> since users can be asked to re-install from CAT prior to the migration
>> with the assurance then they'll work in both scenarios without
>> interruption.
>>
>> However, I seem to remember there were platform-specific limitations on
>> how that works in practice. The platforms they're most interested in are
>> Windows 10, Android, and iPhone -- and for some reason I seem to remember
>> this being broken on Android?
> That is true for the old eduroam CAT App I believe, but geteduroam supports
> multiple CAs just fine. So I can myself actually only speak for geteduroam;
> but there I don't see this as an issue. (Also the Windows geteduroam App
> installs multiple CAs, and I believe the CAT installer does as well.)
>
> The proof of the pudding, ... ;-) if you have older devices that need the
> old CAT app, that may be an issue.
>
>> Does it help to issue a cert with a SubjectAlternativeName matching the
>> old CN used for validation? (I'm not sure that's actually possible in this
>> case, but it was a thought I had.)
> I don't think this is necessary per se, but it's better not to change it
> too much, for some platforms will fall back to a "matching substring". But
> that's also the more legacy Android types,
>> Does anyone have experience with this sort of roll-over who can offer
>> advice one what does and doesn't work? Or better yet, point me at
>> documentation?
> I do like Jan-Frederik comments/experiences too. The part I described is
> only ... well, part of the story. The rest is getting people to migrate.
> (Of course the tric with anonymous usernames may trigger the anonymous
> username bugs; it may be safer if you prefix with anon also, so anon2021
> may be better, I forgot the entire logic that worked or didn't work.)
>
> Regards,
> Paul
>
>
>>
>>
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
- [[cat-users]] Correct method for certificate rollover in CAT?, Guy Halse, 10/15/2021
- Re: [[cat-users]] Correct method for certificate rollover in CAT?, Jan-Frederik Rieckers, 10/15/2021
- Re: [[cat-users]] Correct method for certificate rollover in CAT?, Paul Dekkers, 10/15/2021
- Re: [[cat-users]] Correct method for certificate rollover in CAT?, Louis Twomey, 10/15/2021
- Re: [[cat-users]] Correct method for certificate rollover in CAT?, Louis Twomey, 10/15/2021
- Re: [[cat-users]] Correct method for certificate rollover in CAT?, Tony Skalski, 10/15/2021
- Re: [[cat-users]] Correct method for certificate rollover in CAT?, Martin Pauly, 10/16/2021
- Re: [[cat-users]] Correct method for certificate rollover in CAT?, Louis Twomey, 10/15/2021
Archive powered by MHonArc 2.6.19.